CVE-2017-16654

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-16654
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-16654.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-16654
Aliases
Downstream
Published
2018-08-06T21:29:00.330Z
Modified
2026-05-28T04:03:46.047406227Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal.

Database specific 
{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "3.8.0"
                },
                {
                    "last_affected": "3.8.30"
                },
                {
                    "introduced": "3.8.0"
                },
                {
                    "last_affected": "3.8.30"
                }
            ],
            "cpes": [
                "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"
            ],
            "vendor_product": "sensiolabs:symfony",
            "source": "CPE_RANGE"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "8.0"
                },
                {
                    "last_affected": "9.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "debian:debian_linux",
            "source": "CPE_STRING"
        }
    ]
}
References

Affected packages

Git / github.com/symfony/security-http

Affected ranges

Type
GIT
Repo
https://github.com/symfony/security-http
Events
Introduced
de2f3d51160791ef254010953dbde178fee9845f
Last affected
e23595473a10892462e61443f07d19210ab505af
Introduced
a6209fac5e5984ba49d8b5a1af5e5c118a1c183e
Last affected
4fe1764b69b5e7e0d74656b5214a9026313e23ab
Introduced
760872233cd3147870184697e3481ffa492ac2fb
Last affected
a5c3f701b864a2bb1d6b71b859afd3efe3b9e43d
Database specific 
{
    "extracted_events": [
        {
            "introduced": "2.7.0"
        },
        {
            "last_affected": "2.7.37"
        },
        {
            "introduced": "3.2.0"
        },
        {
            "last_affected": "3.2.13"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "last_affected": "3.3.12"
        }
    ],
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Affected versions

v2.*
v2.7.0
v2.7.1
v2.7.10
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v3.*
v3.2.0
v3.2.0-RC2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-16654.json"

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
9975b1eca3de4db792a2c3e4e16f676a4aadcd46
Last affected
c166da413153ecbb4b83c0415f7df13c250c3342
Introduced
b96a144bc875684f3338f697687147a2696d73eb
Last affected
e1aabd6f50fb4586b330f9ac54b4bcdf7352a0f8
Introduced
5a7e31c48e7cd4831efa409fffb661beb9995174
Last affected
1452970fc29131776505f684bd81d7a33cbaada4
Database specific 
{
    "extracted_events": [
        {
            "introduced": "2.7.0"
        },
        {
            "last_affected": "2.7.37"
        },
        {
            "introduced": "3.2.0"
        },
        {
            "last_affected": "3.2.13"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "last_affected": "3.3.12"
        }
    ],
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Affected versions

v2.*
v2.7.0
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v3.*
v3.2.0
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-16654.json"